Krebs on Security

In-depth security news and investigation

Online Cheating Site AshleyMadison Hacked

Large caches of data stolen from online cheating site AshleyMadison.com have been posted online by an individual or group that claims to have completely compromised the company’s user databases, financial records and other proprietary information. The still-unfolding leak could be quite damaging to some 37 million users of the hookup service, whose slogan is “Life is short. Have an affair.”

The data released by the hacker or hackers — which self-identify as The Impact Team — includes sensitive internal data stolen from Avid Life Media (ALM), the Toronto-based firm that owns AshleyMadison as well as related hookup sites Cougar Life and Established Men.

Reached by KrebsOnSecurity late Sunday evening, ALM Chief Executive Noel Biderman confirmed the hack, and said the company was “working diligently and feverishly” to take down ALM’s intellectual property. Indeed, in the short span of 30 minutes between that brief interview and the publication of this story, several of the Impact Team’s Web links were no longer responding.

“We’re not denying this happened,” Biderman said. “Like us or not, this is still a criminal act.”

Besides snippets of account data apparently sampled at random from among some 40 million users across ALM’s trio of properties, the hackers leaked maps of internal company servers, employee network account information, company bank account data and salary information.

According to the hackers, although the “full delete” feature that Ashley Madison advertises promises “removal of site usage history and personally identifiable information from the site,” users’ purchase details — including real name and address — aren’t actually scrubbed.

“Full Delete netted ALM $1.7mm in revenue in 2014. It’s also a complete lie,” the hacking group wrote. “Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”

Their demands continue:

“Avid Life Media has been instructed to take Ashley Madison and Established Men offline permanently in all forms, or we will release all customer records, including profiles with all the customers’ secret sexual fantasies and matching credit card transactions, real names and addresses, and employee documents and emails. The other websites may stay online.”

A snippet of the message left behind by the Impact Team.

It’s unclear how much of the AshleyMadison user account data has been posted online. For now, it appears the hackers have published a relatively small percentage of AshleyMadison user account data and are planning to publish more for each day the company stays online.

“Too bad for those men, they’re cheating dirtbags and deserve no such discretion,” the hackers continued. “Too bad for ALM, you promised secrecy but didn’t deliver. We’ve got the complete set of profiles in our DB dumps, and we’ll release them soon if Ashley Madison stays online. And with over 37 million members, mostly from the US and Canada, a significant percentage of the population is about to have a very bad day, including many rich and powerful people.”

ALM CEO Biderman declined to discuss specifics of the company’s investigation, which he characterized as ongoing and fast-moving. But he did suggest that the incident may have been the work of someone who at least at one time had legitimate, inside access to the company’s networks — perhaps a former employee or contractor.

“We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication,” Biderman said. “I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”

As if to support this theory, the message left behind by the attackers gives something of a shout out to ALM’s director of security.

“Our one apology is to Mark Steele (Director of Security),” the manifesto reads. “You did everything you could, but nothing you could have done could have stopped this.”

Several of the leaked internal documents indicate ALM was hyper aware of the risks of a data breach. In a Microsoft Excel document that apparently served as a questionnaire for employees about challenges and risks facing the company, employees were asked “In what area would you hate to see something go wrong?”

Trevor Stokes, ALM’s chief technology officer, put his worst fears on the table: “Security,” he wrote. “I would hate to see our systems hacked and/or the leak of personal information.”

“Given the breach at AdultFriendFinder, investors will have to think of hack attacks as a risk factor,” the WSJ wrote. “And given its business’s reliance on confidentiality, prospective AshleyMadison investors should hope it has sufficiently, er, girded its loins.”

Update, 8:58 a.m. ET: ALM has released the following statement about this attack:

“We were recently made aware of an attempt by an unauthorized party to gain access to our systems. We immediately launched a thorough investigation utilizing leading forensics experts and other security professionals to determine the origin, nature, and scope of this incident.”

“We apologize for this unprovoked and criminal intrusion into our customers’ information. The current business world has proven to be one in which no company’s online assets are safe from cyber-vandalism, with Avid Life Media being only the latest among many companies to have been attacked, despite investing in the latest privacy and security technologies.”

“We have always had the confidentiality of our customers’ information foremost in our minds, and have had stringent security measures in place, including working with leading IT vendors from around the world. As other companies have experienced, these security measures have unfortunately not prevented this attack to our system.”

“At this time, we have been able to secure our sites, and close the unauthorized access points. We are working with law enforcement agencies, which are investigating this criminal act. Any and all parties responsible for this act of cyber–terrorism will be held responsible.”

“Avid Life Media has the utmost confidence in its business, and with the support of leading experts in IT security, including Joel Eriksson, CTO, Cycura, we will continue to be a leader in the services we provide. “I have worked with leading companies around the world to secure their businesses. I have no doubt, based on the work I and my company are doing, Avid Life Media will continue to be a strong, secure business,” Eriksson said.”

This entry was posted on Sunday, July 19th, 2015 at 11:40 pm and is filed under Data Breaches.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

798 comments

If a Christian-espousing hacker decided to hack and release the names, addresses and PII of all the individuals who had abortions at clinics, would that be correct?

Abortion is something considered morally repugnant by a significant portion of the population. It is considered a sin to the religious and often considered a mark of shame to those who are not. There are many who consider it murder.

And yet, there are many who do not. So should that private information be allowed to be shared by an individual or group of individuals on the basis of their view of it as morally reprehensible, when it is legal?

Vigilante moralism may feel good, but it’s a crime, and a crime is a crime.

It *feels* good to expose cheaters, but I would hope that in the 21st century our legal system would beyond enforcement of law on the basis of what *feels* good. That’s just mob justice, and mob justice *never* ends well and is a devolution.

The real story here should not be a debate on morals of cheating or not cheating, there are other places to discuss that but the debate should be abut IT security.

This was a big website, reasonably good security reputation until this incident, we recently have had governments hacked, huge corporations hacked. What is next? our banking and credit card system destroyed? That would put north america into a depression overnight.

This case is a good test case 38 million clients violated including credit information, how do we and every company out there prevent this from happening again, can it even be prevented, hackers are getting better and faster, this year alone large scale hacking has been in the news almost weekly.

If I was going into college today I’d either want to learn coding or cyber security for my career, I see potential in cyber security as the attacks increase.

Of course it’s not always sophistication, a lot of it has to do with the “don’t be paranoid no one will ever go that route to break in” mentality.

Rule#1 trust no one, #2 block every possible option for a breach, even the ones that “aren’t possible” it’s a lot of work yes but a lot more work should something bad happen and this goes for everyone, from your home computer to the business.

LEARN around security, ports, encryption, malware, viruses, etc, people these days are stupid, these hipsters with their one track minds think everything is fine and nothing bad can happen to them until their credit card or bank card is declined at the local trendy coffee shop. Hello reality.

I think this attack was a criminal act to get the 38 million pieces of credit card data, they are just using the excuse of they want the delete service to be free and all that crap, why would hackers bother? why would hackers care about morals? and why would anyone risk a very long prison sentence just to argue that the delete service is not as advertised?.

Secondly, free or for a fee, nothing is truly deleted unless the drive is given a level 3 wipe

Everyone from small personal user to small business to large companies needs to learn from this and perhaps if corporate greed wasn’t priority one, more companies would hire full time IT staff instead of using contractors and freealncers and those full time IT staff, paid fairly and given a long career with the company would not only know the systems inside out as they build them but would be fiercely loyal and care about the company.

Just like law enforcement, the police force takes care of it’s officers, the officers take care of each other and the police force.

I love it! 35 million immature morons thought it would be great fun to cheat on their partners. These 35 million morons thought Ashley M would create a playground where they could play out their perversions with impunity. Ha! Some one or some group decides ‘No, I don’t think so’ and ‘outs’ 35 million behaving like jerks and now the jerks are screaming ‘No! How could this happen?’ Hmmm… not the brightest bulbs. Y’all made your bed. Enjoy your nap! Pathetic.

A little perspective here. AM does NOT have 37 million accounts. They claim they do to attract more customers. They have several millions for sure but many of their profiles are 100% fake. They are fake because many many people no doubt opened a fake account, without giving their credit card info, just to see what was going on. Secondly AM itself was CREATING fake profiles to attract people to pay. This is fact.

For those of you morally superior judgers of all, remember a certain amount of these people, did NOT have an affair–either their conscience kicked in after they signed up, they chickened out, they could not find a suitable partner or any of a hundred other reasons. To say their lives (and their spouses and children’s lives) should be ruined because they CONSIDERED having an affair is pretty sick in my opinion. A momentarily lapse in judgment is no reason to be condemned.

Let me also add, someone may have a brief affair 10 years ago, and then realized they should stop. They did, and have lived a virtuous life since, with their spouse, new kids, etc. You are saying it’s a good thing to bring that up 10 years later and throw a families’ lives into hell? As someone said, I don’t think that says too much about you or your morals. This is no one’s business. Period.

Sounds like ur guilty conscience has rightfully gotten the best of you. Doesnt matter if it was 10 ( or 20) yrs ago….it can never be undone and the betrayed lo ex one’s life is altered forever, even if they didnt “find out”. They deserve the 100% truth and the choice to do the same. Adulterers (ie: lying and cheating back-stabbers) deserve to be punished and exposed for what they really are and SHOULD pay for their “mistakes”.

Actually this is really sort of a hazy area. In an ideal world, those who cheated should confess to spouses and then let the chips fall where they may. That’s in an ideal world. But as most people discover after they’ve lived for a while, this is NOT an ideal world and sometimes a marriage is saved because a secret was not spewed out.
Anyway, everyone should be aware that anything you do on the Internet just is not secure, that’s for sure.

A marriage that has to be saved by lies should not be saved. By not letting people know their partner has cheated on them, they aren’t even given a chance to make a decision based on the truth. Relationships should be built on trust and truth.

Yeah, right. You realize, genius, that many people signed on with fake profiles, including the name of their boss, etc., just for fun. So don’t be surprised if someone who doesn’t like you signed YOU UP on the site!!!!

What will you say then? No, it wasn’t me? Yeah, right, like people are going to believe that!

Let me stop you right there. I agree with it being a private matter, but this is the lesser of all evils, better to make it public now and have a scandal than have partners find out their SO cheated later after devoting even more of your life to them or not finding out at all.

Sure maybe not everyone cheated, but they’re leaking credit card transactions and chat history too, they’re not putting everyone in the same category they’re showing the whole story; so even the fact that you registered on a cheating website should be addressed by couples that want a healthy relationship in my opinion because them thinking about it at least shows that there may be underlying issues that need to be ironed out.

In response to your last point; Well yes. 10 years ago, 20 years ago, it doesn’t matter. All that matters is that you betrayed your partner and they have a right to know, whether or not they forgive you is up to them and them alone. But THEY should find out and get the option of deciding on how to proceed

Um, sorry. Yes. Yes it is. If I run over and kill 3 kids at a school crossing because I had a ‘momentary lapse of judgement’ and went to send a quick text to my best friend, I think you deserve to be condemned.

If I think my girlfriend is being disrespectful to me and I punch her in the face and break her jaw in 3 places because of a ‘momentary lapse of judgement’, I think you deserve to be condemned.

Stop coming onto forums or comment sections and saying useless, stupid dribble. These people went to the effort of subscribing to a SYSTEMATIC AND CENTRALISED affair platform. Furthermore, it takes about fifty ‘momentary lapses of judgement’ to go through the steps of setting up an account in secret and mentally and physically engaging with the website. Fred, you sound like the type of guy who has cheated on your wife/girlfriend multiple times and you’re now spending your whole life trying to convince yourself you’ve done nothing wrong.

The next website that should be exposed is ‘The Erotic Review.’ The website is for men (hobbyists) who seek to hire escorts / prostitutes (providers). The providers post their photos, ads, and contact information on the website. After a hobbyist meets with a provider and pays her money for sex, they then engage in illegal sexual activities (prostitution). After the illegal encounter, the website encourages the hobbyist to review it, by scoring the provider’s looks and performance from 1-10 and write intimate sexual details of the encounter…thus the website’s name, ‘The Erotic Review.’

If you read the statement, the hackers’ problem with AM is not the nature of their business or morality of cheating, but with the fact that it’s a scam website and not delivering on their promise to delete profiles. Assuming this ‘Erotic Review’ is delivering on their promises and not scamming people, I would think the hackers wouldn’t have an issue with it.

It’s absolutely the business of the spouse and family. Great that they are now ALMOST on the up and up, but the fact that they are still being untruthful to their spouses means they are STILL being unfaithful and dishonoring their partner.

Question for Brian: With this AM hack this week, isn’t it odd that the hacker has taken the approach of dumping a sample of his data and then threaten to release more over time? Doesn’t this make it risker for him in terms of getting caught? Aren’t most hacking attacks a one time thing where a site is hacked and the data dumped or sold? This “holding a company hostage” just seems like something out of a movie…has it ever been done before? Is it a norm in hacker culture? I believe the hacker(s) contact you directly already once….isn’t it risky for them like this and increase the risk of getting caught?

I notified AM that they had a breach at least two years ago. I have a domain which I use to sign up free accounts at every site that I run across with an email address unique to that site. When I start getting spam/phishing/virus emails at that address, I alert the owner of the site. I had a short email exchange with someone at the site who requested more info, but I don’t believe anything panned out. Clearly, they didn’t heed my warning.

The could also be selling email addresses which is quite common. If they don’t actually erase your information when you request it and pay for it (assuming the hacker was correct), then what’s to stop them from other egregious acts? Their product suggest a certain lack of morals.

Come on people it’s just sex and variety is the spice of life. You wouldn’t restrict yourself to eating potatoes all your life would you? And if your partner finds out and decides to leave then so be it…life is short there is more to companionship than sex…kikiki…laughing in Zimbabwean 😀

AshleyMadison Hacked is gonna be great entertainment i can’t wait for the list of people i know. parties will never be the same again. ANONYMOUS YOUR OFF THE HOOK !KEEP UP THE GOOD WORK . ROTFLMFAO! MAYBE THIS IS A KICK IN THE GOOD BITS FOR PAYPAL TO OMG! LOVE IT! MORE MORE MORE!!

The next website that should be exposed is ‘The Erotic Review.’ The website is for men (hobbyists) who seek to hire escorts / prostitutes (providers). The providers post their photos, ads, and contact information on the website. After a hobbyist meets with a provider and pays her money for sex, they then engage in illegal sexual activities (prostitution). After the illegal encounter, the website encourages the hobbyist to review it, by scoring the provider’s looks and performance from 1-10 and write intimate sexual details of the encounter…thus the website’s name, ‘The Erotic Review.’

The hackers post on AM site says “Too bad for those men, they’re cheating dirtbags and deserve no such discretion,” but most of the (more than half accounts) are women who are married and wanting an affair.

There’s nothing am users should really worry. Just check how hard it is to actually find the leaked data. And think about what percentage of people even heard about this story, or even AM itself. And then find the intersection of that and those people who are cheated on (the people who didn’t even know that their spouse is having an affair). Pretty unlikely to have any real damage. Unless the cheaters on AM are mostly wives of tech geeks.

All said and told, this is someone on a high horse and rest assured that whatever awaits us in the next life, they’re not going to be received with a parade to sing the glories of their pious and contrite justice meted out for all man kind. There is a disgusting stench and foulness about this group of people that cannot be even put into words.

If they were so bent on the simple agenda of destroying the construct they found SO OFFENSIVE, they would have simply hacked the site, announced anonymously it was, and never held them over a gun. If cheaters were SO OFFENSIVE to their sensibilities, they would have simply dumped the data they had, when they had it, take not credit, not give themselves a name, and not try to drag this out.

They are worse than any cheater, for someone would would be impelled to seek happiness in another, regardless of their circumstance or moral grounds in doing so, at least seek happiness, no one cheats because they are madly in love at home or with the lives they have. These people will do nothing, for anyone, good. They will only hurt 1000’s and they will never create a moment of decency or happiness among all the affected that is worth even a fraction of the pain they are likely to induce with this. They seek to simply hurt, this is vengeance, not justice, not “do-goodery”, it’s just simple, base, impulsive and evil natured behavior that is unforgivable.

This bunch, I hope, is hunted down by the same people they brazenly claim to hold a gun to, and maybe one of those powerful and important people are going to pay a lot of money to find them, and then, evil will meet evil, for in the end, that is what evil is, turning man against man, and may they then take pride and joy in there act and we’ll see how proud and righteous they are then at the hands of vengeance, the same act they took upon all these thousands of lives.

As someone who was registered on Ashley Madison, I feel more qualified than most to comment here.

What is most appalling, aside from the arbitrary and questionable moral opinions that the hackers seem keen to have everyone accept, is the surfacing of an online horde of holier-than-thou righteous commentators, slating the ‘cheaters’ as if they are beyond criticism. Nobody has the right to take the moral high ground. Let he who is without sin cast the first stone. I may have registered on Ashley Madison, but what I choose to do as a consenting adult, legally and behind closed doors, is, frankly, my business, not yours. The point is that this rabid hacker group have illegally and immorally stolen data, and have published this data illegally. Karma dictates that what goes around comes around. I’ve heard of detectives and investigators being hired already to track down the hacker group, muted sadly by a recent report that one guy who was outed in this data leak has, I believe, this evening taken his own life. Those people simply had no business interfering with all of this, and yet they did. That’s simply a home run in wrongness.

No – one has the right to judge. There are two sides to every story, and the hackers and a whole bunch of .alt conversations would have you believe otherwise. The sad fact of the matter is that people who had no beef with the hackers will now potentially suffer, and this is undeserved. If you replace the words ‘Ashley Madison’ and ‘cheating’ with some of the anti – gay or racist terms used in the earlier 20th century then you see this for what it is – the same homphobic, odiously judgmental and bigotted approach that is simply abhorrent.

So, as a person that DID subscribe to AM, and gave over no credit card details and after a few looks decided that cheating was a stupid idea and did NOTHING, why should I be punished?

It’s really sad – in a moment of weakness and stupidity I used the site to look around and really decided it was a totally dumb idea and apparently thought I had deleted my data. So now I will get painted as a horrible person with all the rest.

10-15 years ago alot of us were just not as aware as we are now of the precautions we should be taking with our data….and now we pay for our innocence, lack of knowledge, complete stupidity, and a company’s inability to maintain data security and follow-though.

Come on, folks. If anyone is keen to cheat, there are plenty of other ways to find a willing partner. Closing down a site that allegedly provides adulterers with an online interface achieves little except a few headlines.

All you Internet addicts contribute to these problems. I don’t feel bad for a single person. Facebook and Twitter are no better than a cheating web site. They are very much the same. Most of you suffer from attention/personality complexes. Everyone on those sites think what they post is so important that they think people actually care what they think, eat, or do. I for one do not exist on any social media. I think it’s lame, and for lonely people who have no life. Turn off the stupid internet, and live in the real world. Face it, more harm will always come from the Internet than good. It’s human nature these days to try and inflict as much pain, or envy as possible.